The “Real-Time Find and Replace” WordPress plugin was updated recently to address a high severity vulnerability that could be exploited to inject code into a website.
Designed to allow WordPress site admins to dynamically replace HTML content from themes and other plugins with content of their choosing before the page is served to users, the plugin is available as open source and has over 100,000 installations.
The recently identified vulnerability, a Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS), could have allowed an attacker to inject malicious JavaScript code on a target site, but only by tricking the administrator into performing specific actions, such as clicking a link.
The core of the plugin’s functionality for adding find and replace rules resides in the function far_options_page, which did not verify the integrity of a request’s source, because it did not use nonce verification, WordPress security company Defiant discovered.
“Any attacker capable of tricking a site owner into executing an unwanted action could replace any content or HTML on a vulnerable site with new content or malicious code. This replacement code or content would then execute anytime a user navigated to a page that contained the original content,” Defiant says.
By replacing an HTML tag like with malicious JavaScript, an attacker would ensure their code executes on nearly every page of the targeted site. Leveraging the injected code, the attacker could create a new administrative account, steal session cookies, or direct users to a malicious site.
Defiant reported the vulnerability to the plugin’s developer on April 22 and the security flaw was addressed the same day.
“In the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,” Defiant explains.
Version 4.0.2 or newer of the Real-Time Find and Replace plugin includes a patch for the bug, and users are advised to update the plugin as soon as possible to ensure their WordPress websites are protected.
Related: Unpatched Flaw in Discontinued Plugin Exposes WordPress Sites to Attacks
Related: Critical Flaw in SEO Plugin Exposed Many WordPress Sites to Attacks
Related: WPvivid Backup Plugin Flaw Leads to WordPress Database Leak